Add Sentinel CI workflow for workflow security scanning

[jpr5]

Summary

• Adds .github/workflows/sentinel.yml — runs Sentinel on every PR and push to main
• Configured in warn-only mode (fail-on-findings: false) so it surfaces findings without blocking merges
• Part of org-wide Sentinel rollout (spec)

Details

Setting	Value
Trigger	pull_request + push to main
Severity threshold	high
Blocking	No (fail-on-findings: false)
Timeout	10 minutes
Permissions	contents: read (least privilege)

Test plan

• Verify workflow appears in Actions tab after merge
• Confirm scan runs on next PR and produces annotations without failing the check

[jpr5]

Force-pushed with SHA-pinned actions to satisfy zizmor's unpinned-uses rule. Per the org-wide sentinel rollout, the floating-tag-for-easy-updates model is being replaced with SHA-pin + dependabot. Spec updated. Rest of the PR unchanged.

[jpr5]

Promoted to blocking mode — this repo had zero sentinel findings on the warn-only scan, so we're skipping the 7-day warn-only observation period. fail-on-findings is now true; future PRs that introduce critical/high findings will block merge.